SoylentNews is people
SoylentNews
If you downloaded Mint Cinnamon today (for versions of "today" that include February 20th, 2016) you should immediately check the MD5 checksum. Blog Entry here.
From Clem:
We were exposed to an intrusion today. It was brief and it shouldn't impact many people, but if it impacts you, it's very important you read the information below.
Hackers made a modified Linux Mint ISO, with a backdoor in it, and managed to hack our website to point to it.
As far as we know, the only compromised edition was Linux Mint 17.3 Cinnamon edition.
If you downloaded another release or another edition, this does not affect you. If you downloaded via torrents or via a direct HTTP link, this doesn't affect you either.
Finally, the situation happened today, so it should only impact people who downloaded this edition on February 20th.
Apparently the hacked ISOs are hosted on 5.104.175.212 and the backdoor connects to absentvodka.com. Both lead to Sofia, Bulgaria, and the name of 3 people over there.
The comment thread suggests that the ISOs are showing up in other places, and that the Mint site may still not be entirely secure.
(Score: 3, Informative) by frojack on Sunday February 21 2016, @09:30PM
PGP fingerprints could be forged using MITM, so I'm curious as to why the FOSS movement doesn't think this serious?
Because its very difficult to pull off a MITM attack against the entire world simultaneously which will go un-noticed.
I keep signing stuff (packages, email, etc) using my valid (private) key, but some mitm substitutes a different public key, and all of a sudden my emails are won't validate, my packages won't validate, and alarms sound and people start checking. Its very tricky to pull off a MITM attack against a properly signed package or even a signed email.
No, you are mistaken. I've always had this sig.
(Score: 3, Interesting) by opinionated_science on Sunday February 21 2016, @10:23PM
well I am using debian, which doesn't sign by default. I used to use OpenSuse which did.
Since the Snowden revelations, I am surprised paranoia is not running at overload. Add the likelihood of backdoors at various levels of the hw/sw stack , the one place we can add security is the open source packages we install!!!
But then we have that old compiler problem too...;-)
Good Security is *HARD*. A lesson I feel a complete beginner at...
(Score: 3, Interesting) by frojack on Sunday February 21 2016, @11:08PM
I try to avoid Debian based distros just because you never know when they are going to erupt into another cat fight.
But in checking exactly one random package I see that things are signed as well checksumed at sign-in
( see https://packages.qa.debian.org/c/claws-mail/news/20160126T114928Z.html [debian.org] ).
But I haven't gone rooting around in their outbound distro source or binary repositories to see if that
persists all the way to the end user.
No, you are mistaken. I've always had this sig.
(Score: 2) by gottabeme on Tuesday February 23 2016, @07:11AM
well I am using debian, which doesn't sign by default.
What? Debian has been signing its repos for many years. Maybe you need to read this: https://www.debian.org/doc/manuals/securing-debian-howto/ch7 [debian.org] Scroll down to "7.5 Package signing in Debian".